| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 4 Jun 2013 23:56:37 +0300 From: "MustLive" <mustlive@...security.com.ua> To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>, "1337 Exploit DataBase" <mr.inj3ct0r@...il.com> Subject: IA and AFU vulnerabilities in aCMS Hello list! These are Insufficient Authorization and Arbitrary File Uploading vulnerabilities in aCMS. This is commercial CMS. There are multiple vulnerabilities in aCMS and it's the second part of them. ------------------------- Affected products: ------------------------- Vulnerable are aCMS 1.0 and previous versions. ------------------------- Affected vendors: ------------------------- Almacor http://almacor.ru ---------- Details: ---------- Insufficient Authorization (WASC-02): There is no restriction on accessing file manager and image manager. Which is not default behavior (developer of MCFileManager and MCImageManager states, that by default these web applications require authorization) and is made by developers of aCMS. http://site/assets/js/tiny_mce/plugins/filemanager/pages/fm/index.html http://site/assets/js/tiny_mce/plugins/imagemanager/pages/im/index.html Arbitrary File Uploading (WASC-31): Plugins MCFileManager and MCImageManager for TinyMCE, which are using in the system, are vulnerable to execution of arbitrary code through bypass of programs' security filters (on IIS and Apache web servers). http://site/assets/js/tiny_mce/plugins/filemanager/pages/fm/index.html http://site/assets/js/tiny_mce/plugins/imagemanager/pages/im/index.html Code will execute via file uploading. The first program is vulnerable to three methods of code execution: via using of symbol ";" (1.asp;.txt) in file name (IIS). via "1.asp" in folder name (IIS), via double extension (1.php.txt) (Apache with special configuration). And the second program is vulnerable to two methods of code execution (#1 and #3). ------------ Timeline: ------------ 2013.03.04 - informed developers about part of the vulnerabilities. 2013.04.03 - informed developers about another part of the vulnerabilities. 2013.04.06 - announced at my site. 2013.04.07 - informed developers about another part of the vulnerabilities. 2013.05.25 - informed developers about another part of the vulnerabilities. In all cases the developers just ignored all messages via different e-mails and contact form. 2013.06.04 - disclosed at my site (http://websecurity.com.ua/6428/). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists